In late 2022, a significant security issue came to light affecting IBM Robotic Process Automation (RPA) versions 21..1 through 21..5. This vulnerability, referenced as CVE-2022-43574 and tracked by IBM X-Force as ID 238679, centers on incorrect permission assignment. It means certain users could obtain access to sensitive application configurations when they should not have been able to.

If you run IBM RPA, understanding and fixing this vulnerability is crucial. In this post, let's break down what happened, the potential risks, how an attacker might exploit it, and what you can do to stay safe. We'll use clear language and relevant code snippets, so you can see exactly what went wrong.

What Is CVE-2022-43574?

In affected IBM Robotic Process Automation versions (21..1 to 21..5), incorrect file or role permissions on configuration files or application data could let unauthorized users access internal RPA configuration details.

This means a user with limited permissions—or even sometimes a remote attacker who gained a foothold—could read files or settings normally reserved for administrators, including things like database connections, API keys, and other secrets.

IBM’s official disclosure

> “IBM Robotic Process Automation 21..1, 21..2, 21..3, 21..4, and 21..5 is vulnerable to incorrect permission assignment which could allow access to application configurations.”
>
> IBM Security Bulletin

Vulnerable Scenarios: How Does This Happen?

The issue arises when sensitive files or directories within the RPA installation directory are accidentally set with overly-permissive access. For example, a deployment script might run as root or Administrator and leave behind configuration files readable by the wider group or Everyone in Windows.

Example: An Overly-Permissive Config File on Linux

$ ls -l /opt/ibm/rpa/config.json
-rw-rw-r-- 1 rpauser rpagroup 234 Jan 15 08:00 config.json
# Both owner (rpauser) and group (rpagroup) can read and write.
# Others can read (r--) -- this is too open!

On Windows, file permissions might look like

# Show permissions on config file
icacls "C:\Program Files\IBM\RPA\config.json"
# Output might show:
# BUILTIN\Users:(I)(RX)
# Everyone:(RX)
# This means all local users can read (R) and execute (X) this file.

Why is this bad?

Anyone who can read these files may see credentials or connection strings like

{
  "dbConnection": "Server=db.example.com;User Id=appuser;Password=P@sswrd;"
}

How Attackers Could Exploit CVE-2022-43574

Let’s look at a straightforward way an attacker can leverage this misconfiguration.

Step 1: Gain Local Access

This exploit requires, at minimum, some level of local access. On a multi-user system, this might be just a basic account, like a developer or service user.

A simple scan can show files with world-readable permissions

# Find overly readable files in the RPA installation
find /opt/ibm/rpa -perm -o=r

On Windows, searching for files accessible to "Everyone" can be done using PowerShell or GUI tools.

Now, the attacker can view sensitive configs

cat /opt/ibm/rpa/config.json

Or, for encrypted but unprotected secrets, use an available decryption utility tried with the extracted key from the configs.

Suppose an attacker finds the RPA installation at /opt/ibm/rpa/ and the following in config.json

{
  "adminUser": "admin",
  "adminPass": "SuperSecret123"
}

The attacker runs

cat /opt/ibm/rpa/config.json | grep admin

Gets

"adminUser": "admin",
"adminPass": "SuperSecret123"

Now, the attacker can log in to the RPA Console as the administrator, or use these credentials to access REST APIs with admin rights.

Mitigation

IBM instructs users to update to a fixed version. If you’re running 21..1 to 21..5, update as soon as possible.

On Linux

chmod 640 /opt/ibm/rpa/config.json
chown rpauser:rpagroup /opt/ibm/rpa/config.json

On Windows

- Right-click the config file, choose *Properties > Security*, and remove "Everyone" or "Users" read access.

Always follow IBM’s security bulletins:
- IBM Security Bulletin: CVE-2022-43574

- IBM Security Bulletin for CVE-2022-43574
- NIST NVD page for CVE-2022-43574
- X-Force Exchange ID: 238679
- Basic guide to Linux file permissions

Conclusion

CVE-2022-43574 is a perfect example of how “just” a permission slip can open the door to serious security issues—especially in automation tools that tie deep into company infrastructure. If you run IBM RPA, audit your deployment for world-readable or weakly protected configuration files and upgrade to the latest fixed version. Even after you patch, it’s good practice to restrict sensitive files and watch for unexpected access.

Timeline

Published on: 11/03/2022 20:15:00 UTC
Last modified on: 11/04/2022 16:20:00 UTC